HOMEVULNERABILITIESCVE-2026-43073
NONE

CVE-2026-43073

Published: May 5, 2026· Updated: May 6, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

x86-64: rename misleadingly named '__copy_user_nocache()' function

This function was a masterclass in bad naming, for various historical

reasons.

It claimed to be a non-cached user copy. It is literally _neither_ of

those things. It's a specialty memory copy routine that uses

non-temporal stores for the destination (but not the source), and that

does exception handling for both source and destination accesses.

Also note that while it works for unaligned targets, any unaligned parts

(whether at beginning or end) will not use non-temporal stores, since

only words and quadwords can be non-temporal on x86.

The exception handling means that it _can_ be used for user space

accesses, but not on its own - it needs all the normal "start user space

access" logic around it.

But typically the user space access would be the source, not the

non-temporal destination. That was the original intention of this,

where the destination was some fragile persistent memory target that

needed non-temporal stores in order to catch machine check exceptions

synchronously and deal with them gracefully.

Thus that non-descriptive name: one use case was to copy from user space

into a non-cached kernel buffer. However, the existing users are a mix

of that intended use-case, and a couple of random drivers that just did

this as a performance tweak.

Some of those random drivers then actively misused the user copying

version (with STAC/CLAC and all) to do kernel copies without ever even

caring about the exception handling, _just_ for the non-temporal

destination.

Rename it as a first small step to actually make it halfway sane, and

change the prototype to be more normal: it doesn't take a user pointer

unless the caller has done the proper conversion, and the argument size

is the full size_t (it still won't actually copy more than 4GB in one

go, but there's also no reason to silently truncate the size argument in

the caller).

Finally, use this now sanely named function in the NTB code, which

mis-used a user copy version (with STAC/CLAC and all) of this interface

despite it not actually being a user copy at all.

NVD Source

Technical Analysis

CVE-2026-43073 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
LinuxGo
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-43073
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 5, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43073 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.